Search in sources :

Example 21 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project jss by dogtagpki.

the class EnumerationZeroTest method buildCrl.

/**
 * Build a CRL using JSS
 * @param useZero whether or not to try creating a CRLEntry with the reason set to "unspecified"
 * @return an X509CRL object
 * @throws Exception if anything goes wrong
 */
public static X509CRL buildCrl(boolean useZero) throws Exception {
    KeyPairGenerator generator = KeyPairGenerator.getInstance("RSA");
    generator.initialize(2048);
    KeyPair kp = generator.generateKeyPair();
    List<RevokedCertificate> revokedCerts = new ArrayList<>();
    for (int i = 0; i <= 10; i++) {
        // 7 is an unused value in the enumeration
        if (i == 7 || (i == 0 && !useZero)) {
            continue;
        }
        CRLReasonExtension reasonExt = new CRLReasonExtension(RevocationReason.fromInt(i));
        outputExtension(reasonExt);
        CRLExtensions entryExtensions = new CRLExtensions();
        entryExtensions.add(reasonExt);
        revokedCerts.add(new RevokedCertImpl(BigInteger.valueOf(i), new Date(), entryExtensions));
    }
    CRLExtensions crlExtensions = new CRLExtensions();
    crlExtensions.add(new CRLNumberExtension(BigInteger.ONE));
    crlExtensions.add(buildAuthorityKeyIdentifier((RSAPublicKey) kp.getPublic()));
    X500Name issuer = new X500Name("CN=Test");
    Date now = new Date();
    Calendar calendar = Calendar.getInstance();
    calendar.add(Calendar.DAY_OF_MONTH, 365);
    Date until = calendar.getTime();
    X509CRLImpl crlImpl = new X509CRLImpl(issuer, now, until, revokedCerts.toArray(new RevokedCertificate[] {}), crlExtensions);
    crlImpl.sign(kp.getPrivate(), "SHA256withRSA");
    CertificateFactory cf = CertificateFactory.getInstance("X.509");
    byte[] data = crlImpl.getEncoded();
    return (X509CRL) cf.generateCRL(new ByteArrayInputStream(data));
}
Also used : KeyPair(java.security.KeyPair) X509CRL(java.security.cert.X509CRL) Calendar(java.util.Calendar) ArrayList(java.util.ArrayList) RevokedCertificate(org.mozilla.jss.netscape.security.x509.RevokedCertificate) KeyPairGenerator(java.security.KeyPairGenerator) X500Name(org.mozilla.jss.netscape.security.x509.X500Name) CertificateFactory(java.security.cert.CertificateFactory) Date(java.util.Date) RevokedCertImpl(org.mozilla.jss.netscape.security.x509.RevokedCertImpl) RSAPublicKey(java.security.interfaces.RSAPublicKey) ByteArrayInputStream(java.io.ByteArrayInputStream) CRLReasonExtension(org.mozilla.jss.netscape.security.x509.CRLReasonExtension) CRLNumberExtension(org.mozilla.jss.netscape.security.x509.CRLNumberExtension) X509CRLImpl(org.mozilla.jss.netscape.security.x509.X509CRLImpl) CRLExtensions(org.mozilla.jss.netscape.security.x509.CRLExtensions)

Example 22 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project jdchain-core by blockchain-jd-com.

the class CATestPlus method run.

@Override
public void run() {
    File caHome = new File(caCli.getCaHome());
    if (!caHome.exists()) {
        caHome.mkdirs();
    }
    try {
        if (StringUtils.isEmpty(password)) {
            password = caCli.scanValue("password for all private keys");
        }
        Security.removeProvider("SunEC");
        PrivKey issuerPrivKey = null;
        PrivateKey issuerPrivateKey = null;
        X509Certificate issuerCrt = null;
        File trustStoreFile = new File(caCli.getTlsHome() + File.separator + "trust.jks");
        for (int i = 0; i < nodes + users + gws + 1; i++) {
            String name;
            CertificateRole ou;
            if (i == 0) {
                name = "root";
                ou = CertificateRole.ROOT;
            } else if (i <= nodes) {
                name = "peer" + (i - 1);
                ou = CertificateRole.PEER;
            } else if (i <= nodes + gws) {
                name = "gw" + (i - nodes - 1);
                ou = CertificateRole.GW;
            } else {
                name = "user" + (i - nodes - gws - 1);
                ou = CertificateRole.USER;
            }
            algorithm = algorithm.toUpperCase();
            AsymmetricKeypair keypair = Crypto.getSignatureFunction(algorithm).generateKeypair();
            String pubkey = KeyGenUtils.encodePubKey(keypair.getPubKey());
            String base58pwd = KeyGenUtils.encodePasswordAsBase58(password);
            String privkey = KeyGenUtils.encodePrivKey(keypair.getPrivKey(), base58pwd);
            FileUtils.writeText(pubkey, new File(caCli.getKeysHome() + File.separator + name + ".pub"));
            FileUtils.writeText(privkey, new File(caCli.getKeysHome() + File.separator + name + ".priv"));
            FileUtils.writeText(base58pwd, new File(caCli.getKeysHome() + File.separator + name + ".pwd"));
            if (i == 0) {
                issuerPrivKey = keypair.getPrivKey();
                issuerPrivateKey = CertificateUtils.retrievePrivateKey(issuerPrivKey);
            }
            X500Name subject = caCli.buildRDN(organization, ou, country, province, locality, name, email);
            X509Certificate certificate = caCli.genCert(CertificateUsage.SIGN, algorithm, name, subject, ou, CertificateUtils.retrievePublicKey(keypair.getPubKey()), issuerPrivateKey, issuerCrt);
            if (i == 0) {
                FileUtils.writeText(CertificateUtils.toPEMString(certificate), new File(caCli.getCaHome() + File.separator + name + ".crt"));
                issuerCrt = certificate;
                caCli.trustStore(trustStoreFile, name, password, certificate);
            } else {
                FileUtils.writeText(CertificateUtils.toPEMString(certificate), new File(caCli.getSignHome() + File.separator + name + ".crt"));
                String ip = "127.0.0.1";
                switch(ou) {
                    case PEER:
                        if (nodeIPs.length >= i) {
                            ip = nodeIPs[i - 1];
                        }
                        break;
                    case GW:
                        if (gwIPs.length >= i - nodes) {
                            ip = gwIPs[i - nodes - 1];
                        }
                        break;
                    case USER:
                        if (gwIPs.length >= i - nodes - gws) {
                            ip = userIPs[i - nodes - gws - 1];
                        }
                        break;
                    default:
                        break;
                }
                PrivateKey privateKey = CertificateUtils.retrievePrivateKey(keypair.getPrivKey(), keypair.getPubKey());
                FileUtils.writeText(CertificateUtils.toPEMString(algorithm, privateKey), new File(caCli.getKeysHome() + File.separator + name + ".key"));
                if (!algorithm.equalsIgnoreCase("SM2")) {
                    subject = caCli.buildRDN(organization, ou, country, province, locality, ip, email);
                    X509Certificate tlsCertificate = caCli.genCert(CertificateUsage.TLS, algorithm, ip, subject, ou, CertificateUtils.retrievePublicKey(keypair.getPubKey()), issuerPrivateKey, issuerCrt);
                    FileUtils.writeText(CertificateUtils.toPEMString(tlsCertificate), new File(caCli.getTlsHome() + File.separator + name + ".crt"));
                    caCli.keyStore(privateKey, name, password, tlsCertificate, issuerCrt);
                    caCli.trustStore(trustStoreFile, name, password, tlsCertificate);
                } else {
                    AsymmetricKeypair signKeypair = Crypto.getSignatureFunction(algorithm).generateKeypair();
                    subject = caCli.buildRDN(organization, ou, country, province, locality, ip, email);
                    X509Certificate signCertificate = caCli.genCert(CertificateUsage.TLS_SIGN, algorithm, ip, subject, ou, CertificateUtils.retrievePublicKey(signKeypair.getPubKey()), issuerPrivateKey, issuerCrt);
                    FileUtils.writeText(CertificateUtils.toPEMString(signCertificate), new File(caCli.getTlsHome() + File.separator + name + ".sign.crt"));
                    PrivateKey signPrivateKey = CertificateUtils.retrievePrivateKey(signKeypair.getPrivKey(), signKeypair.getPubKey());
                    FileUtils.writeText(CertificateUtils.toPEMString(signPrivateKey), new File(caCli.getKeysHome() + File.separator + name + ".sign.key"));
                    caCli.keyStore(signPrivateKey, name + ".sign", password, signCertificate, issuerCrt);
                    AsymmetricKeypair encKeypair = Crypto.getSignatureFunction(algorithm).generateKeypair();
                    X509Certificate encCertificate = caCli.genCert(CertificateUsage.TLS_ENC, algorithm, ip, subject, ou, CertificateUtils.retrievePublicKey(encKeypair.getPubKey()), issuerPrivateKey, issuerCrt);
                    FileUtils.writeText(CertificateUtils.toPEMString(encCertificate), new File(caCli.getTlsHome() + File.separator + name + ".enc.crt"));
                    PrivateKey encPrivateKey = CertificateUtils.retrievePrivateKey(encKeypair.getPrivKey(), encKeypair.getPubKey());
                    FileUtils.writeText(CertificateUtils.toPEMString(encPrivateKey), new File(caCli.getKeysHome() + File.separator + name + ".enc.key"));
                    caCli.keyStore(encPrivateKey, name + ".enc", password, encCertificate, issuerCrt);
                    caCli.doubleKeysStore(name, signPrivateKey, encPrivateKey, password, signCertificate, encCertificate, issuerCrt);
                    caCli.trustStore(trustStoreFile, name + ".sign", password, signCertificate);
                    caCli.trustStore(trustStoreFile, name + ".enc", password, encCertificate);
                }
            }
        }
        System.out.println("create test certificates in [" + caCli.getCaHome() + "] success");
    } catch (Exception e) {
        e.printStackTrace();
    }
}
Also used : PrivateKey(java.security.PrivateKey) X500Name(org.bouncycastle.asn1.x500.X500Name) CertificateRole(com.jd.blockchain.ca.CertificateRole) X509Certificate(java.security.cert.X509Certificate)

Example 23 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project webauthn4j by webauthn4j.

the class TestAttestationUtil method createV1DummyCertificate.

public static X509Certificate createV1DummyCertificate() {
    try {
        X509v1CertificateBuilder certificateBuilder = new X509v1CertificateBuilder(new X500Name("O=SharpLab., C=US"), BigInteger.valueOf(1), Date.from(Instant.parse("2000-01-01T00:00:00Z")), Date.from(Instant.parse("2999-12-31T23:59:59Z")), new X500Name("O=SharpLab., C=US"), new SubjectPublicKeyInfo(new DefaultSignatureAlgorithmIdentifierFinder().find("SHA256WITHRSA"), new byte[0]));
        ContentSigner contentSigner = new JcaContentSignerBuilder("SHA256withRSA").build(RSAUtil.createKeyPair().getPrivate());
        X509CertificateHolder certificateHolder = certificateBuilder.build(contentSigner);
        try {
            return new JcaX509CertificateConverter().getCertificate(certificateHolder);
        } catch (CertificateException e) {
            throw new com.webauthn4j.validator.exception.CertificateException(e);
        }
    } catch (OperatorCreationException e) {
        throw new UnexpectedCheckedException(e);
    }
}
Also used : UnexpectedCheckedException(com.webauthn4j.util.exception.UnexpectedCheckedException) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) ContentSigner(org.bouncycastle.operator.ContentSigner) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) X509v1CertificateBuilder(org.bouncycastle.cert.X509v1CertificateBuilder) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException)

Example 24 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project webauthn4j by webauthn4j.

the class PackedAttestationStatementValidatorTest method generateCertPath.

private static AttestationCertificatePath generateCertPath(KeyPair pair, String signAlg) {
    try {
        Provider bcProvider = new BouncyCastleProvider();
        // Security.addProvider(bcProvider);
        long now = System.currentTimeMillis();
        Date from = new Date(now);
        Date to = new Date(from.getTime() + TimeUnit.DAYS.toMillis(1));
        X500Name dnName = new X500Name("C=ORG, O=Dummy Org, OU=Authenticator Attestation, CN=Dummy");
        BigInteger certSerialNumber = BigInteger.ZERO;
        Calendar calendar = Calendar.getInstance();
        calendar.setTime(from);
        calendar.add(Calendar.YEAR, 1);
        ContentSigner contentSigner = new JcaContentSignerBuilder(signAlg).build(pair.getPrivate());
        JcaX509v3CertificateBuilder certBuilder = new JcaX509v3CertificateBuilder(dnName, certSerialNumber, from, to, dnName, pair.getPublic());
        BasicConstraints basicConstraints = new BasicConstraints(false);
        certBuilder.addExtension(new ASN1ObjectIdentifier("2.5.29.19"), true, basicConstraints);
        X509Certificate certificate = new JcaX509CertificateConverter().setProvider(bcProvider).getCertificate(certBuilder.build(contentSigner));
        return new AttestationCertificatePath(Collections.singletonList(certificate));
    } catch (OperatorCreationException | CertificateException | CertIOException e) {
        throw new UnexpectedCheckedException(e);
    }
}
Also used : UnexpectedCheckedException(com.webauthn4j.util.exception.UnexpectedCheckedException) AttestationCertificatePath(com.webauthn4j.data.attestation.statement.AttestationCertificatePath) JcaContentSignerBuilder(org.bouncycastle.operator.jcajce.JcaContentSignerBuilder) Calendar(java.util.Calendar) ContentSigner(org.bouncycastle.operator.ContentSigner) CertificateException(java.security.cert.CertificateException) X500Name(org.bouncycastle.asn1.x500.X500Name) CertIOException(org.bouncycastle.cert.CertIOException) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) JcaX509v3CertificateBuilder(org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder) BigInteger(java.math.BigInteger) OperatorCreationException(org.bouncycastle.operator.OperatorCreationException) BasicConstraints(org.bouncycastle.asn1.x509.BasicConstraints) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier) BouncyCastleProvider(org.bouncycastle.jce.provider.BouncyCastleProvider)

Example 25 with X500Name

use of org.mozilla.jss.netscape.security.x509.X500Name in project snowblossom by snowblossomcoin.

the class CertGen method generateSelfSignedCert.

/**
 * @param key_pair Key pair to use to sign the cert inner signed message, the node key
 * @param tls_wkp The temporary key to use just for this cert and TLS sessions
 * @param spec Address for 'key_pair'
 */
public static X509Certificate generateSelfSignedCert(WalletKeyPair key_pair, WalletKeyPair tls_wkp, AddressSpec spec) throws Exception {
    AddressSpecHash address_hash = AddressUtil.getHashForSpec(spec);
    String address = AddressUtil.getAddressString(Globals.NODE_ADDRESS_STRING, address_hash);
    byte[] encoded_pub = tls_wkp.getPublicKey().toByteArray();
    SubjectPublicKeyInfo subjectPublicKeyInfo = new SubjectPublicKeyInfo(ASN1Sequence.getInstance(encoded_pub));
    String dn = String.format("CN=%s, O=Snowblossom", address);
    X500Name issuer = new X500Name(dn);
    BigInteger serial = BigInteger.valueOf(System.currentTimeMillis());
    Date notBefore = new Date(System.currentTimeMillis());
    Date notAfter = new Date(System.currentTimeMillis() + 86400000L * 365L * 10L);
    X500Name subject = issuer;
    X509v3CertificateBuilder cert_builder = new X509v3CertificateBuilder(issuer, serial, notBefore, notAfter, subject, subjectPublicKeyInfo);
    // System.out.println(org.bouncycastle.asn1.x509.Extension.subjectAlternativeName);
    ASN1ObjectIdentifier snow_claim_oid = new ASN1ObjectIdentifier("2.5.29.134");
    // System.out.println(spec);
    SignedMessagePayload payload = SignedMessagePayload.newBuilder().setTlsPublicKey(tls_wkp.getPublicKey()).build();
    SignedMessage sm = MsgSigUtil.signMessage(spec, key_pair, payload);
    byte[] sm_data = sm.toByteString().toByteArray();
    cert_builder.addExtension(snow_claim_oid, true, sm_data);
    String algorithm = "SHA256withRSA";
    AsymmetricKeyParameter privateKeyAsymKeyParam = PrivateKeyFactory.createKey(tls_wkp.getPrivateKey().toByteArray());
    AlgorithmIdentifier sigAlgId = new DefaultSignatureAlgorithmIdentifierFinder().find(algorithm);
    AlgorithmIdentifier digAlgId = new DefaultDigestAlgorithmIdentifierFinder().find(sigAlgId);
    // ContentSigner sigGen = new BcECContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
    ContentSigner sigGen = new BcRSAContentSignerBuilder(sigAlgId, digAlgId).build(privateKeyAsymKeyParam);
    X509CertificateHolder certificateHolder = cert_builder.build(sigGen);
    X509Certificate cert = new JcaX509CertificateConverter().setProvider("BC").getCertificate(certificateHolder);
    return cert;
}
Also used : SignedMessagePayload(snowblossom.proto.SignedMessagePayload) SignedMessage(snowblossom.proto.SignedMessage) ContentSigner(org.bouncycastle.operator.ContentSigner) ByteString(com.google.protobuf.ByteString) X500Name(org.bouncycastle.asn1.x500.X500Name) SubjectPublicKeyInfo(org.bouncycastle.asn1.x509.SubjectPublicKeyInfo) DefaultDigestAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultDigestAlgorithmIdentifierFinder) Date(java.util.Date) X509Certificate(java.security.cert.X509Certificate) AlgorithmIdentifier(org.bouncycastle.asn1.x509.AlgorithmIdentifier) DefaultSignatureAlgorithmIdentifierFinder(org.bouncycastle.operator.DefaultSignatureAlgorithmIdentifierFinder) BcRSAContentSignerBuilder(org.bouncycastle.operator.bc.BcRSAContentSignerBuilder) AsymmetricKeyParameter(org.bouncycastle.crypto.params.AsymmetricKeyParameter) X509v3CertificateBuilder(org.bouncycastle.cert.X509v3CertificateBuilder) JcaX509CertificateConverter(org.bouncycastle.cert.jcajce.JcaX509CertificateConverter) X509CertificateHolder(org.bouncycastle.cert.X509CertificateHolder) BigInteger(java.math.BigInteger) AddressSpecHash(snowblossom.lib.AddressSpecHash) ASN1ObjectIdentifier(org.bouncycastle.asn1.ASN1ObjectIdentifier)

Aggregations

X500Name (org.bouncycastle.asn1.x500.X500Name)510 X509Certificate (java.security.cert.X509Certificate)182 BigInteger (java.math.BigInteger)175 Date (java.util.Date)168 JcaContentSignerBuilder (org.bouncycastle.operator.jcajce.JcaContentSignerBuilder)158 ContentSigner (org.bouncycastle.operator.ContentSigner)149 JcaX509CertificateConverter (org.bouncycastle.cert.jcajce.JcaX509CertificateConverter)145 X509CertificateHolder (org.bouncycastle.cert.X509CertificateHolder)127 X509v3CertificateBuilder (org.bouncycastle.cert.X509v3CertificateBuilder)127 IOException (java.io.IOException)104 JcaX509v3CertificateBuilder (org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder)100 SubjectPublicKeyInfo (org.bouncycastle.asn1.x509.SubjectPublicKeyInfo)93 KeyPair (java.security.KeyPair)79 RDN (org.bouncycastle.asn1.x500.RDN)75 X500Name (sun.security.x509.X500Name)68 PrivateKey (java.security.PrivateKey)64 CertificateException (java.security.cert.CertificateException)64 ASN1ObjectIdentifier (org.bouncycastle.asn1.ASN1ObjectIdentifier)55 BasicConstraints (org.bouncycastle.asn1.x509.BasicConstraints)55 SecureRandom (java.security.SecureRandom)54